The Journey of a Network Engineer

We have seen how in the first part how DMVPN works, the dynamic tunnels and how we can peer Spokes to each other to allow direct traffic. But all will fail if our Hub goes down, as it is critical in keeping the DMVPN network up. For redundancy Dual Hub DMVPN networks were designed, we would look at such network in this entry. The Diagram shows how we will use CE1 and CE5 routers to be Hubs, while the rest of routers to be Spokes. Let’s have a look at the network used for this:

We have not protected our traffic in part 1, so in this entry we would protect our tunnels with IPsec. Let’s see a sample configurations i made for IPsec

Here, we are using single key to authenticate everyone, of course this is a bad design security wise, i highly recommend NOT to do it. we created a profile calling it ASA, this profile will be associated in the tunnel interface to protect the tunnel.

int tu 1
tunnel protection ipsec profile ASA

For the dual Hub configrations, few lines need to be added to the Hubs. they are highlighted in different color in the configs below: CE1#show run int tu 1 Building configuration…

Since CE4 had CE3 mapping, we can see how the traffic went spoke to spoke without the need of going to HUB, this will of course save bandwidth. While going to CE2, it had to travel to CE1 (Hub) as we didn’t add the multicast mapping for it. But even for CE4, and CE3 to communicate they should first establish connection to CE1.

In the next entry, I will add the authentication/ encryption of tunnels, and configure a dual Hub scenario. If you ever required the topology and configurations, just drop a comment!

Configuring Site-to-Site VPN although straight forward, but it fails to scale. just imagine how many tunnels should be created to connected to 10 sites, specially if inter-site communication is desired. A better solution for interconnecting multiple sites, is the use of Dynamic Multipoint Virtual Private Network (DMVPN).

DMVPN relays on Next Hop Resolution Protocol (NHRP), something very similar to the use of Reverse-ARP in Frame-relay networks. The protection of the traffic can be done using the IPsec tunnel.

DMVPN usese Hub and spoke topology, for that. we have chosen CE1 as the HUB, while routers CE2, CE3, and CE4 are the Spokes. Note the CE routers will always take the higher IP from the subnet. so PE3-CE4 the IP used by CE4 is 10.0.0.26. We also have added the Loopback interfaces to test the connectivity among the CEs.

Network Diagram: DMVPN Topology

At the provider network we are running OSPF, while the CEs will use EIGRP to communicate with each other. Lets configure the Hup Tunnel Interface:

Hup configurations are straight forward. Define the Tunnel, IP address. Use the WAN IP as the source. No destrination, as this is Multipoint GRE. the no ip split-horizon is required as we want to advertise the routes received from that interface to the other spokes. this is something similar to frame-relay using multipoint interfaces.

The spoke tunnel interface will have a similar configuration, but there are added commands.

First, we need to give static mapping for Hub Tunnel interface and the WAN IP. Second, we see the multicast for the WAN IPs. this is essential so that the router treats these mapping as multicast. So Routing protocol traffic can be sent to these mappings. Remember that Router protocols use multicast to communicate among themselves.

What happens if we just map to the Hub? All traffic will first go to Hub before going to other spokes. So we would be wasting WAN bandwidth. But by defining other routers mapping. We enable the traffic to go directly to between the spokes without going to the Hub.

In this example, i have made CE3 ip address, thus i made sure that CE3, and CE4 will have direct route information. while CE4 will traverse the Hub to reach to CE2.

Previously we have seen how the site to site VPN works. in this example, I would use the topology below to configure Site to Site VPN. Then we would create a GRE Tunnel and secure it with the IPsec tunnel, called GRE over IPSec. thus providing routing protocols the ability to transverse the sites securely.

Branch connectivity to the HQ or the Datacenter is one of the essential topics that almost all businesses have to deal with. Various methods has been developed to connect Branches. All these methods fall under the WAN connectivity module. Wan connectivity can be achieved using:

MPLS VPN

Dedicated Leased Lines

Internet

Even when the internet is used to provide Branch Connectivity. various methods and models can’t be used. from Dynamic Multipoint VPN (DMVPN), SSL VPN for clients, IPsec VPN, etc. We would discuss IPsec VPN here, and later would see a sample configurations.

Site-to-Site VPN uses Internet Security Association and Key Management Protocol (ISAKMP) and IPSec to create the tunnel. ISAKMP is a negotiation protocol that allow two routers to secure the tunnel. This negotiation is done in Two phases.

Phase one creates the first tunnel, this tunnel will protect the negotiations of the second phase (Second Tunnel). Phase one will protect the IPSec parameters that are being negotiated between the end points.

Phase two is the IPSec Tunnel, where the encryption of data, and authentication methods are negotiated and applied for the interesting traffic.

Although setting up Cisco Unified Communication Manager (CUCM) in VMware is pretty easy and straight forward, I had to struggle to get it up and running. Partially cause i was creating the VM wrongly. In this series, I would show the steps required to install CUCM. As a prerequisite to have a fully operational CUCM is:

For the setup of CUCM there are few components that are required, there is the essential part that without it CUCM will not install. It is NTP. We would use GNS3, to connect the CUCM to Router with NTP configurations on it. Figure one shows the essential configurations, and the connectivity.

Figure 1: GNS3

The Cloud would be configured with port that is connecting to the VMware network. Alternately, a Windows Server can be installed in VMware, configured as Domain Controller, DNS server, and NTP server.

Second component that might require is DNS. While configuring CUCM there is the option of installing DNS client, if you isntall it. then the hostname of CUCM should be resolvable. For this tutorial i have not done that. Although, for a real practice it is best to configure the Windows Server. As other operations can be practiced as well. Such as user authentications, and user related activities.

In part two, We would look into how to create the VMware machine, as that is the second step. Mistakes in creating the VM is equal to many hours wasted in trial and error solution.

Server network redundancy been a hot topic for a while now. It is an ideal situation when we imagine that a server can be connected to multiple switches, with multiple links to provide higher bandwidth, and fault tolerance.

But doing so, creates multiple challenges from both the network and the servers. Simply to put it, there is no protocol that can run between server and switches so that it can be spanning-tree loop free. If we use LACP, to connect two switches, Server will not have any issue, but the network will break with mac address flaps. If we connect the server with LACP to single switch, the bandwidth will increase , but fault tolerance will be lost.

Cisco has their answer to this solution by providing the VSS with Catalyst 6500 where two switches become one, and the Nexus Switches with the VPC.

Another solution to this scenario, is using Advance Networking Services from Intel. They have incorporated many modes of load balancing. The mode that interest us is Switch Fault Tolerance “SFT”.

Switch Fault Tolerance “SFT”

It uses two adapters to connect to to switches. Only the Primary link will be active, and in case of link, adapter failure, second adapter will take the active role. Uses two adapters connected to two switches to provide a fault tolerant network connection in the event that the first adapter, its cabling or the switch fail. Only two adapters can be assigned to an SFT team.

Figure 1: SFT Network Settings

The image shows the basic configuration. Switches will be configured with portfast and LACP in dynamic mode. The switch uplinks will have STP running. When operational, the Etherchannel will have single link being utilized, while second will be on standby.

Providing the virtual switching solution, such as VSS, VPC, is still the best solution for providing high bandwidth and fault tolerance.

On-Demand Routing (ODR) is one of the few simple routing methods. It is not a protocol by itself as it uses Cisco Discovery Protocol (CDP) to gather and propagate the route information.

ODR is designed for Hub-spoke networks, where the spokes are stub networks with nothing connecting them. As ODR is not a protocol to propagate routes to different routers.

Enabling ODR in the HUB router, the HUB router will install a default route into each Spoke router. This will eliminate the need for manual static route in each spoke router. The Spoke routers will send the prefixes to the HUB router. Prefixes insure that these routes are Variable Length Subnet Mask (VLSM). Furthermore, ODR routes can be redistributed into dynamic IP protocols.

Virtual Switching System (VSS) was one of the early technologies that introduced in the datacenter world to eliminate spanning tree protocol (STP). Thus, giving networks and servers multiple active links with non-blocking ports architecture.

The configurations are quite simple and straight forward. First, VSS domain, assign priority for the primary switch to be the master. Second, create the Virtual Switching Link (VSL). It is basically an etherchannel. Lastly, convert the switch from standalone to virtual switch.

Done. wait for the switches to reload. it takes a while. sometimes upto 10 min for the VSS to be in full operational state. I would write other entries on the operation of VSS, and how SUP failures or chassis failures affect the operation of the VSS.